Privacy Policy

Last Updated: May 19, 2026  ·  Effective Date: May 19, 2026

1. Introduction

Kiro ("Kiro," "we," "us," or "our") provides an AI-powered receptionist service that handles phone calls and chat messages on behalf of small businesses (each, a "Business Client"). This service includes an AI voice agent, an AI chatbot, appointment and reservation handling, callback requests, and related notifications (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you:

By using the Service, contacting a Business Client through the Service, or continuing a recorded call after the recording notice, you acknowledge the practices described in this Privacy Policy.

The Service is currently offered to businesses and customers in Canada and the United States. It is not directed at individuals located outside Canada and the United States.

We are committed to handling personal information in accordance with applicable privacy laws, including:

2. Accountability and Our Role

2.1 Privacy Officer

Kiro has designated a Privacy Officer who is responsible for our compliance with this Privacy Policy and applicable privacy laws. You may contact the Privacy Officer using the details in Section 15.

2.2 Our role: Business Client as controller, Kiro as service provider

It is important to understand the two roles involved in the Service.

The Business Client is the data controller. When you call or chat with an AI assistant, you are contacting a specific business (for example, a restaurant, salon, clinic, or other service provider). That business determines what information is collected from End Customers and the purposes for which it is used. The Business Client is responsible for its own privacy practices and for obtaining any consents required for its purposes.

Kiro acts as a service provider (data processor). Kiro processes End Customer personal information on behalf of, and under the instructions of, the Business Client in order to deliver the Service. Kiro does not use End Customer personal information for its own independent purposes, except that Kiro creates and uses aggregated and de-identified information as described in Section 4.4. Aggregated and de-identified information does not identify any individual and is not personal information.

If you have questions about how a specific Business Client uses your information, you should also contact that business directly.

3. Information We Collect

3.1 Information from End Customers (callers and chat users)

When you interact with an AI assistant through the Service, we may collect, on behalf of the Business Client:

You are not required to provide sensitive information. Please share only what is necessary for your request. The notice you receive at the start of each call — that the call is recorded and that recorded information will be processed to handle your request — also serves as notice that any sensitive details you choose to share during the call will be recorded and processed for that purpose. You may end the call, omit sensitive details, or contact the Business Client by another method at any time.

3.2 Information from Business Clients

When a Business Client uses the Service, we collect business contact details, owner or authorized-user name, email, phone number, business address, business hours, menu or service details, and account login information.

3.3 Information collected automatically

When you use our chatbot or websites, we may collect limited technical information such as IP address, browser type, device information, and usage data, through cookies or similar technologies, to operate and secure the Service. See Section 13.

4. How We Use Personal Information

4.1 To deliver the Service on behalf of the Business Client

4.2 To operate, secure, and support the Service

4.3 To provide quality and insights to the Business Client

4.4 Aggregated and de-identified information

We create aggregated and de-identified information — statistical and pattern information generated using methods intended to ensure that the result cannot reasonably be used, alone or in combination with other information, to identify or be linked to any individual. This activity is performed in accordance with our service provider agreements with Business Clients. We may use the resulting aggregated and de-identified information to operate, evaluate, and improve the Service. We implement technical and business safeguards designed to prevent re-identification, we do not attempt to re-identify de-identified information, and we contractually prohibit our service providers from doing so.

4.5 Communications

We send transactional messages — such as reservation or appointment confirmations and follow-ups — that relate directly to a request you made. These transactional messages are not commercial electronic messages and are exempt under CASL Section 6(6).

We do not send you marketing or promotional messages based on your interaction with an AI assistant. Your contacting a Business Client through the Service does not create consent to receive marketing messages. Marketing messages are sent only where the sender (normally the Business Client) has obtained your separate, express consent. Any commercial electronic message will identify the sender, provide contact information, and include an unsubscribe mechanism that remains valid for at least 60 days and is processed without delay and in any event within 10 business days, consistent with CASL.

4.6 Limits on use

We use personal information only for the purposes identified in this Policy or for purposes for which consent is obtained. We do not use call recordings or transcripts for unrelated purposes.

4.7 No use for AI model training; no biometric use

We do not use End Customer personal information, call recordings, or transcripts to train publicly available or third-party foundational AI models. Our AI service providers process this information to generate responses but, under their applicable terms for the interfaces we use, do not use it to train their models. We do not use voice recordings for biometric identification, voiceprinting, or voice fingerprinting.

5. Automated Processing and Human Assistance

The Service uses artificial intelligence to understand requests and generate responses. This is automated processing.

If you are not satisfied with the AI assistant, or prefer to speak with a person, you may request human assistance. The Service is designed to let you reach the Business Client or leave a callback request so that a person can follow up. The AI assistant does not make decisions that produce legal or similarly significant effects about you.

6. Call Recording Notice

Phone calls handled through the Service may be recorded and transcribed for quality assurance, service delivery, internal staff and service training, and record-keeping purposes. The references to "training" in this section refer to internal human review for quality and service-improvement purposes only, and do not mean the use of recordings to train artificial-intelligence models (see Section 4.7). At the start of each call you are informed that the call may be recorded, that you are speaking with an AI assistant, and that information you share during the call — including any sensitive details necessary for your request — will be processed to handle that request.

If you do not wish to be recorded, you may end the call and contact the Business Client by another method (for example, visiting in person, using a website, or sending a written message). Continuing the call after the recording notice indicates your consent to the recording for the stated purposes. If you end the call at the recording notice, any partial information collected up to that point is not used to fulfill a request and is deleted or de-identified in the ordinary course.

7. Disclosure of Personal Information

We disclose personal information only as follows:

We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising, as those terms are defined under applicable U.S. state privacy laws.

8. Service Providers and International Data Transfers

The Service relies on third-party providers that store and process personal information on servers located in the United States. As of the effective date of this Policy, our service providers and the functions they perform are:

Because these providers operate in the United States, your personal information is processed in, and subject to the laws of, the United States, including potential lawful access by U.S. courts, law enforcement, and government authorities (including under the U.S. CLOUD Act and similar legal authorities). We require our service providers, by contract, to protect personal information at a level comparable to this Policy and applicable law, and to use it only to provide services to us.

If you have questions about the collection, use, disclosure, or storage of personal information by our service providers outside Canada, or would like an up-to-date list of our service providers, you may contact our Privacy Officer (Section 15).

If we add or change a service provider that processes personal information, we will update this Section and, where required, notify Business Clients.

By using the Service, you acknowledge that your personal information will be transferred to and processed in the United States.

9. Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this Policy, to comply with legal and accounting obligations, to resolve disputes, and to enforce our agreements. Our standard retention periods are:

These periods may be adjusted with a Business Client where a different period is required for a legitimate purpose or by law. When personal information is no longer required, it is securely deleted or de-identified.

10. Security Safeguards

We use administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, use, disclosure, copying, or modification. These measures include access controls and authentication, encrypted connections (TLS) for data in transit, restricted database access, and use of reputable infrastructure providers.

No method of transmission or storage is completely secure. While we work to protect your information, we cannot guarantee absolute security.

11. Data Breach Response

If a breach of security safeguards involving personal information occurs, we will respond in accordance with applicable law.

12. Your Privacy Rights

Depending on your location, you may have the right to:

12.1 How to exercise your rights

Because the Business Client is the data controller, requests relating to End Customer information may be directed either to the Business Client or to Kiro. If you contact Kiro, we will work with the relevant Business Client to respond. To protect your privacy, we will take reasonable steps to verify your identity before responding. An authorized agent may submit a request on your behalf with proof of authorization.

We will respond within the timeframes required by applicable law (generally within 30 days under PIPEDA, and within 45 days under California law, in each case subject to permitted extensions).

12.2 Challenging compliance

If you have a concern or complaint about our handling of personal information, please contact our Privacy Officer first (Section 15). We will investigate and respond. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada, or the Information and Privacy Commissioner of Alberta or British Columbia, where applicable.

12.3 California residents (CCPA/CPRA)

If you are a California resident, you have the right to know, access, correct, and delete personal information, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under California law. You also have the right to limit the use of sensitive personal information; we use sensitive personal information only as necessary to provide the Service and for the purposes described in this Policy, and not for inferring characteristics about you. We will not discriminate against you for exercising your rights.

The categories of personal information we collect, the sources, the purposes, and the categories of recipients are described in Sections 3, 4, 7, and 8 of this Policy.

12.4 Quebec residents (Quebec Law 25)

If you are a resident of Quebec, in addition to the rights above you may have the right to data portability (to receive certain personal information in a structured, commonly used technological format), and rights regarding automated decision-making, including the right to be informed of and to submit observations about a decision based exclusively on automated processing. You may also contact the Commission d'accès à l'information du Québec. The Service is currently provided in English; a French-language version of this Policy will be made available before the Service is actively offered to Quebec-based Business Clients.

12.5 For Business Clients

If you are a Business Client, you may access, correct, and delete your account information, and you may request export or deletion of your data upon termination of your account, subject to the terms of your service agreement with Kiro and to legal retention requirements. These matters may also be addressed in your separate service agreement or data processing agreement with Kiro.

13. Cookies and Similar Technologies

Our chatbot and websites may use cookies and similar technologies to operate the Service, remember preferences, maintain security, and understand usage. You can control cookies through your browser settings. Disabling certain cookies may affect how the Service functions.

14. Children's Privacy

The Service is intended for use by adults for general business communications and is not directed at children or minors. We do not knowingly collect personal information from minors — as defined under applicable law (for example, persons under 13 under the U.S. Children's Online Privacy Protection Act, and persons under 14 under Quebec Law 25) — in a manner requiring verifiable parental or guardian consent under applicable law.

Where a Business Client operates a service directed at or serving minors (for example, a pediatric clinic), the Business Client, as the data controller, is responsible for ensuring that appropriate parental or guardian consent is obtained for the collection and use of information about minors in accordance with applicable law.

If you believe a minor has provided personal information through the Service, please contact us so we can take appropriate action.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, contact our Privacy Officer:

Kiro — Privacy Officer
Jungtae Kim (김정태)
Address: 1271-5005 Dalhousie Dr NW, Unit 175, Calgary, AB T3A 5R8, Canada

If you are an End Customer with questions about how a specific business uses your information, please also contact that business directly.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date above and, where appropriate, provide additional notice. Your continued use of the Service after an updated Policy takes effect indicates your acknowledgment of the changes.